[secdir] secdir review of draft-ietf-dnsop-as112-dname-04

"Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> Thu, 07 August 2014 09:44 UTC

Return-Path: <kwiereng@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id E0F4D1B2A20; Thu, 7 Aug 2014 02:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id CszkVgugyV03; Thu, 7 Aug 2014 02:44:51 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D3451B28C6; Thu, 7 Aug 2014 02:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1669; q=dns/txt; s=iport; t=1407404691; x=1408614291; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=+kAIljJgQ30+HHp564jvu+1EbS19vzHoQlvVQpAVbQE=; b=ZB5larAejicEg02x4pfEfoJMN9eYySm8A3FXyk6vifoZ6IIPe9IQT3Sd 36Kny0OU9ISGqmY6NvcNDH7ySOH15/jy2ncRuD0/5LEgOu/BcouGynO0/ jO769EWW7GyJevw9eAMFneoaD5ityDQY0sTzd8+vg12xTC7C/M33lcQxN o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFADBK41OtJV2c/2dsb2JhbABagw2BLdUsFneECoELAYEAJwQBiFTDdReOdIQOgRwFnBiUbYNXgXBC
X-IronPort-AV: E=Sophos;i="5.01,816,1400025600"; d="scan'208";a="345528567"
Received: from rcdn-core-5.cisco.com ([]) by rcdn-iport-1.cisco.com with ESMTP; 07 Aug 2014 09:44:50 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com []) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s779iovi007391 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 7 Aug 2014 09:44:50 GMT
Received: from xmb-aln-x12.cisco.com ([]) by xhc-rcd-x12.cisco.com ([]) with mapi id 14.03.0123.003; Thu, 7 Aug 2014 04:44:50 -0500
From: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
To: "draft-ietf-dnsop-as112-dnam.all@tools.ietf.org" <draft-ietf-dnsop-as112-dnam.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: secdir review of draft-ietf-dnsop-as112-dname-04
Thread-Index: AQHPsiQ7P55iCfHuK0WU2psSv6HHWw==
Date: Thu, 07 Aug 2014 09:44:50 +0000
Message-ID: <DE3B6360-4AB9-43C4-9E05-2EA3C5B547D8@cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <D3CF2C0B6BA7FD43B309C35CF131FFD9@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/rLKZAHPCHLfszyKAesFperbdYHI
Subject: [secdir] secdir review of draft-ietf-dnsop-as112-dname-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 09:44:53 -0000


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I believe this document is "ready with issues."

The document describes adding and dropping of zones for AS112, the zone that is meant rot act as a sinkhole for reverse lookups for addresses that are for private-use only.

I think the document is clearly written and with my limited understanding of DNS it all seems to make sense from a technical point of view. 

What I am not so sure of however is the statement in the security considerations: 

"This document presents no known additional security concerns to the Internet.
For security considerations relating to AS112 service in general, see RFC6304bis]."

And in the introduction

"The AS112 project does not accommodate the addition and removal of
  DNS zones elegantly.  Since additional zones of definitively local
  significance are known to exist”

It appears to me that moving from a static list of well known ranges as defined in 6304bis to a dynamic adding and dropping of IP-address ranges that are "of definitively local
  significance” is prone to error, potentially leading to blackholing valid address space, either on purpose or by accident. I may show my ignorance here, but I feel that a discussions as to why that risk doesn’t exist is warranted. 

Hope this helps,